Thanks for clarification. I do support your advise. However in case SSL is not available, then how can we implement this browser side encryption. Pls suggest.
On Wednesday, September 24, 2014 5:23:50 PM UTC+5:30, Marvin Addison wrote: > > > I think he refers to the client side (the browser) encrypting the > password, shipping that through to the server, and the server decrypting > it. > > It's hard to imagine what additional security that would provide in > addition to SSL/TLS transport security that encrypts the entire form > payload including the password. The security characteristics are the > same: the client has access to the cleartext password and the server > has access to the decryption key to decrypt the ciphertext. You add > some new problems like browser support for encryption and symmetric > key exchange/management. I would strongly advise against it. > > M > > -- > You are currently subscribed to [email protected] <javascript:> as: > [email protected] <javascript:> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
